Terraform Quickstart
Hashicorp is an excellent company - I have used vagrant in the past - terraform works very well.
Terraform does not maintain state in the account (via a CloudFormation stack) - it uses a local .tfstate file.
Also use vault for secrets, use terragrunt as a wrapper.
https://www.terraform.io/ - extract out https://www.terraform.io/downloads.html and move the binary.
Follow https://learn.hashicorp.com/terraform/getting-started/install.html and https://learn.hashicorp.com/terraform/getting-started/change
AWS key/secret are in ~/.aws/credentials and config for the region for the config.ts details.
The AWS provider as part of terraform is internal and not directly related to the native AWS CLI - AWS Developer Guide#AWSCLI
https://github.com/terraform-providers/terraform-provider-aws/tree/master/examples
Installing Terraform
Check for the latest 20190822 version in https://github.com/hashicorp/terraform/blob/v0.12.7/CHANGELOG.md
20200206: v0.12.21 https://github.com/hashicorp/terraform/blob/master/version/version.go
I usually run terraform on a jump box when running multiple laptops.
https://www.terraform.io/downloads.html
$sudo cp ~/Downloads/terraform /usr/local/bin $terraform -version Terraform v0.12.2
Install AWS CLI to provide credentials
The AWS credentials will be installed and ready for terraform - see AWS Developer Guide#AWSCLI or just do an
aws configure
Linux/Ubuntu Terraform Installation
# the ec2 vm even if it is ubuntu instead of amazon linux will have the aws secret key provisioned if the AWS CLI was installed - verify ubuntu@ip-172-31-94-184:~$ ls ~/.aws config credentials ubuntu@ip-172-31-94-184:~$ cat ~/.aws/credentials [default] aws_access_key_id = A** aws_secret_access_key = Dl****l # get the latest wget https://releases.hashicorp.com/terraform/0.12.7/terraform_0.12.7_linux_amd64.zip $ sudo apt install unzip $ sudo unzip terraform_0.12.7_linux_amd64.zip terraform Archive: terraform_0.12.7_linux_amd64.zip inflating: terraform $ sudo cp terraform /usr/local/bin $ sudo chmod 777 /usr/local/bin/terraform $ exit # upload a minimal template obrienbiometrics:terraform michaelobrien$ scp aws_instance.tf ubuntu@bastion.obrienlabs.cloud:~/ aws_instance.tf 100% 102 1.1KB/s 00:00 # go back into the box obrienbiometrics:terraform michaelobrien$ ssh ubuntu@bastion.obrienlabs.cloud $ terraform init * provider.aws: version = "~> 2.17" Terraform has been successfully initialized! $ terraform apply
Local Terraform Installation
sudo cp ~/Downloads/terraform /usr/local/bin/ sudo chmod +x /usr/local/bin/terraform terraform init * provider.aws: version = "~> 2.12" Terraform has been successfully initialized! # leave out your creds for auto discovery except the region obrienbiometrics:terraform michaelobrien$ cat aws_instance.tf resource "aws_instance" "example" { ami = "ami-2757f631" instance_type = "t2.micro" } provider aws { region = "us-east-1" } obrienbiometrics:terraform michaelobrien$ terraform apply provider.aws.region The region where AWS operations will take place. Do you want to perform these actions? Enter a value: yes aws_instance.example: Creation complete after 35s [id=i-0c85247989abb315a] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. # see terraform.tfstate # modify ami terraform apply Apply complete! Resources: 1 added, 0 changed, 1 destroyed. # destroy terraform destroy Plan: 0 to add, 0 to change, 1 to destroy.
Windows Terraform Installation
Download the latest 64 bit version 0.12.7 from https://releases.hashicorp.com/terraform/0.12.7/terraform_0.12.7_windows_amd64.zip
Copy the terraform.exe executable into any directory on your path - for example c:/opt/bin
0.12.0 has 2.13, 0.12.7 has 2.26
$ terraform init Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "aws" (terraform-providers/aws) 2.26.0... The following providers do not have any version constraints in configuration, so the latest version was installed. To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.aws: version = "~> 2.26" Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. # if you don't have the AWS CLI installed yet - create the aws credentials file and validate it https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html $ vi ~/.aws/credentials [default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY $ terraform plan Refreshing Terraform state in-memory prior to plan... # aws_instance.example will be created + resource "aws_instance" "example" { + ami = "ami-2757f631" Plan: 1 to add, 0 to change, 0 to destroy. $ terraform apply Instance: i-0bf09a07a574e5c53Public DNS: ec2-52-91-61-19.compute-1.amazonaws.com
Upgrading Terraform
ubuntu@ip-172-31-94-184:~$ terraform -version Terraform v0.12.6 + provider.aws v2.17.0 Your version of Terraform is out of date! The latest version is 0.12.19. You can update by downloading from www.terraform.io/downloads.html
AWS Provider Examples
https://github.com/terraform-providers/terraform-provider-aws/tree/master/examples
or
Issues
Sync AWS out of band changes
When you did changes outside of terraform - run terraform init to sync.
terraform init
Resync after AWS account switch
Scenario: create a stack, switch .aws/credentials account, attempt to destroy - successful but 0 actions, now terraform init and attempt to destroy on original account - nothing.
Headless Terraform scripts
Azure Provider Examples
see https://github.com/terraform-providers
Terraform on an AWS Bastion VM
In order to keep the terraform init configuration in one place - among multiple laptops/accounts - run the templates from a bastion box.
Links
Terraform Cloud Run Triggers | https://www.hashicorp.com/blog/creating-infrastructure-pipelines-with-terraform-cloud-run-triggers/ |
Kubectl from Terraform | https://medium.com/citihub/a-more-secure-way-to-call-kubectl-from-terraform-1052adf37af8 |
1 Comment
Michael O'Brien
add terraform plan and import (cloudformer)
check picharm proxy also
3scale redhat openshift